System and method for assuring the operation of network devices in bridged networks

ABSTRACT

In one embodiment, a spanning tree protocol (STP) is executed to assign a first port of an intermediate network device to a Root Port Role, a second port of the intermediate network device to an Alternate Port Role, a third port of the intermediate network device to a Designated Port Role, and a fourth port of the intermediate network device to a Backup Port Role. At least one bridge protocol data unit (BPDU) message is periodically sent from the first port assigned Root Port Role, the second port assigned Alternate Port Role and the fourth port assigned Backup Port Role, irrespective of receipt of any BPDU messages from neighboring intermediate network devices. In response to a failure to receive a BPDU message from a neighboring intermediate network device on the third port assigned Designated Port Role within a threshold amount of time, one or more actions are taken.

RELATED CASES

This Application for United States Patent is a continuation of U.S.patent application Ser. No. 11/183,002 filed on Jul. 15, 2005 byFrancois E. Tallet et al., for a “System and Method for Assuring theOperation of Network Devices in Bridged Networks”, the contents of whichare incorporated by reference herein in their entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to computer networks, and morespecifically, to a method and apparatus for assuring the properoperation of intermediate network devices.

2. Background Information

A computer network typically comprises a plurality of interconnectedentities. An entity may consist of any device, such as a server or endstation, that “sources” (i.e., transmits) or “sinks” (i.e., receives)data frames. A common type of computer network is a local area network(“LAN”) which typically refers to a privately owned network within asingle building or campus. LANs typically employ a data communicationprotocol (LAN standard), such as Ethernet, FDDI or token ring, thatdefines the functions performed by the data link and physical layers ofa communications architecture (i.e., a protocol stack). In manyinstances, several LANs may be interconnected by point-to-point links,wireless transceivers, satellite hook-ups, etc. to form a wide areanetwork (“WAN”) or intranet that may span an entire country orcontinent.

One or more intermediate network devices are often used to couple LANstogether and allow the corresponding entities to exchange information.For example, a bridge may be used to provide a “bridging” functionbetween two or more LANs. Alternatively, a switch may be utilized toprovide a “switching” function for transferring information between aplurality of LANs or end stations. Typically, the bridge or switch is acomputer and includes a plurality of ports that couple the bridge to theLANs or end stations. The switching function includes receiving datafrom a sending entity at a source port and transferring that data to atleast one destination port for forwarding to the receiving entity.

Switches and bridges typically learn which destination port to use inorder to reach a particular entity by noting on which source port itreceived a message generated by that entity. This information is thenstored by the bridge in a block of memory referred to as a filteringdatabase. Thereafter, when a message addressed to a given entity isreceived on a source port, the bridge looks up the entity in itsfiltering database and identifies the appropriate destination port toreach that entity. If no destination port is identified in the filteringdatabase, the bridge floods the message out all ports, except the porton which the message was received. Messages addressed to broadcast ormulticast addresses are also flooded.

Additionally, most computer networks are either partially or fullymeshed. That is, they include redundant communications paths so that afailure of any given link or device does not isolate any portion of thenetwork. The existence of redundant links, however, may cause theformation of circuitous paths or “loops” within the network. Loops arehighly undesirable because data frames may traverse the loopsindefinitely. Furthermore, because switches and bridges replicate (i.e.,flood) frames whose destination port is unknown or which are directed tobroadcast or multicast addresses, the existence of loops may cause aproliferation of data frames so large that the network becomesoverwhelmed.

Spanning Tree Protocol

To avoid the formation of loops, most bridges and switches execute aspanning tree protocol or algorithm which allows them to calculate anactive network topology that is loop-free (i.e., a tree) and yetconnects every pair of LANs within the network (i.e., the tree isspanning). The Institute of Electrical and Electronics Engineers (IEEE)has promulgated a standard (IEEE Std. 802.1D-1998) that defines aspanning tree protocol to be executed by 802.1D compatible devices. Ingeneral, by executing the 802.1D spanning tree protocol, bridges elect asingle bridge within the bridged network to be the “root” bridge. The802.1D standard takes advantage of the fact that each bridge has aunique numerical identifier (bridge ID) by specifying that the root isthe bridge with the lowest bridge ID. In addition, for each LAN coupledto more than one bridge, only one (the “designated bridge”) is electedto forward frames to and from the respective LAN. The designated bridgeis typically the one closest to the root. Each bridge also selects oneport (its “root port”) which gives the lowest cost path from that bridgeto the root. The root ports and designated bridge ports are selected forinclusion in the active topology and are placed in a forwarding state sothat data frames may be forwarded to and from these ports and thus ontothe corresponding paths or links of the network. Ports not includedwithin the active topology are placed in a discarding or blocking state.When a port is in the blocking state, data frames will not be forwardedto or received from the port, although control frames may continue to bereceived and processed by the bridge. A network administrator may alsoexclude a port from the spanning tree by placing it in a disabled state.

To obtain the information necessary to run the spanning tree protocol,bridges exchange special messages called configuration bridge protocoldata unit (BPDU) messages. More specifically, upon start-up, each bridgeinitially assumes that it is the root and transmits BPDU messagesaccordingly. Upon receipt of a BPDU message from a neighboring device,its contents are examined and compared with similar information (e.g.,assumed root and lowest root path cost) stored by the receiving bridge.If the information from the received BPDU is “superior” to the storedinformation, the bridge adopts the superior information and uses it inthe BPDUs, if any, that it sends (adding the cost associated with thereceiving port to the root path cost) from its ports. Bridges do notsend BPDU messages from ports on which the “superior” information wasreceived such as root ports. Although BPDU messages are not forwarded bybridges, the identifier of the root is eventually propagated to andadopted by all bridges as described above, allowing them to select theirroot port and any designated port(s).

In order to adapt the active topology to changes and failures, the rootperiodically (e.g., every hello time) transmits BPDU messages from itsports. The default hello time is two seconds. In response to receivingBPDUs on their root ports, bridges transmit their own BPDUs from theirdesignated ports, if any. Thus, every two seconds BPDUs are propagatedthroughout the bridged network, confirming the active topology. If abridge stops receiving BPDU messages on a given port (indicating apossible link or device failure), it will continue to increment a timeruntil the timer reaches a maximum age (max age) threshold at which pointthe timer expires. The bridge will then age out, i.e., discard, itsstored BPDU information and proceed to re-calculate the root, root pathcost and root port by transmitting BPDU messages utilizing the next bestinformation it has. The maximum age value used within the bridgednetwork is typically set by the root, which enters the appropriate valuein its BPDU messages. Normally, each bridge replaces its stored BPDUinformation every hello time, thereby preventing it from being discardedand maintaining the current active topology.

When BPDU information is updated and/or aged-out and the active topologyis re-calculated, ports may transition from the blocking state to theforwarding state and vice versa. That is, as a result of new BPDUinformation, a previously blocked port may learn that it should be inthe forwarding state (e.g., it is now the root port or a designatedport). Rather than transition directly from the blocking state to theforwarding state, the IEEE 802.1D-1998 standard calls for ports totransition through two intermediate states: a listening state and alearning state. In the listening state, a port waits for informationindicating that it should return to the blocking state. If, by the endof a preset time, no such information is received, the port transitionsto the learning state. In the learning state, a port still blocks thereceiving and forwarding of frames, but received frames are examined andthe corresponding location information is stored in the bridge'sfiltering database. At the end of a second preset time, the porttransitions from the learning state to the forwarding state, therebyallowing frames to be forwarded to and from the port. The time spent ineach of the listening and the learning states is referred to as theforwarding delay.

Although the spanning tree protocol provided in the IEEE 802.1D-1998standard is able to maintain a loop-free topology despite networkchanges and failures, recalculation of the active topology can be a timeconsuming and processor intensive task. For example, re-calculation ofthe spanning tree following an intermediate device crash or failure cantake approximately thirty seconds. During this time, message delivery isoften delayed as ports transition between states. Such delays can haveserious consequences on time-sensitive traffic flows, such as voice orvideo traffic streams.

Rapid Spanning Tree Protocol

Recently, the IEEE issued a new version of the 802.1D standard, known asIEEE Std. 802.1D-2004, that describes a rapid spanning tree protocol(RSTP) to be executed by otherwise 802.1D compatible devices. The RSTPsimilarly selects one bridge of a bridged network to be the root bridgeand defines an active topology that provides complete connectivity amongthe LANs while severing any loops. Each individual port of each bridgeis assigned a port role according to whether the port is to be part ofthe active topology. The port roles defined by the 802.1D-2004 standardinclude Root, Designated, Alternate and Backup. The bridge port offeringthe best, e.g., lowest cost, path to the root is assigned the Root PortRole. Each bridge port offering an alternative, e.g., higher cost, pathto the root is assigned the Alternate Port Role. Each bridge portproviding the lowest cost path from a given LAN is assigned theDesignated Port Role, while all other ports coupled to the given LAN inloop-back fashion are assigned the Backup Port Role.

Those ports that have been assigned the Root Port and Designated PortRoles are placed in the forwarding state, while ports assigned theAlternate and Backup Roles are placed in a discarding or blocking state.A port assigned the Root Port Role can be rapidly transitioned to theforwarding state provided that all of the ports assigned the AlternatePort Role are placed in the discarding or blocking state. Similarly, ifa failure occurs on the port currently assigned the Root Port Role, aport assigned the Alternate Port Role can be reassigned to the Root PortRole and rapidly transitioned to the forwarding state, provided that theprevious root port has been transitioned to the discarding or blockingstate. A port assigned the Alternate Port Role or a Backup Port Rolethat is to be reassigned to the Designated Port Role can be rapidlytransitioned to the forwarding state, provided that the roles of theports of the downstream bridge are consistent with this port beingtransitioned to forwarding. The RSTP provides an explicit handshake tobe used by neighboring bridges to confirm that a previously blockingport can rapidly transition to the forwarding state.

Like the original version of the STP described in IEEE Std. 802.1D-1998,bridges running the RSTP also exchange BPDU messages in order todetermine which roles to assign to the bridge's ports. As with the priorSTP standard, bridges running RSTP only send periodic BPDU messages fromports assigned to the Designated Port Role. BPDU messages are not sentfrom ports assigned to any other roles. BPDU messages are, however,utilized in the handshake employed to rapidly transition designatedports to the forwarding state. Thus, before transitioning Alternate Portto the Root Port, the bridge will send a BPDU message from the AlternatePort. RSTP also uses timers, including a received information while(rcvdInfoWhile) timer, which is similar to STP's max age timer. ThercvdInfoWhile timer is a count down (to zero) timer, while the max agetimer is a count up timer.

Loops and Failures Undetectable by Spanning Tree Protocols

In some cases, a single, duplex link coupling two neighboring bridges(which are also indirectly coupled through other bridges or devices) mayphysically comprise two simplex, i.e., unidirectional, transmissionlines, such as two fiber optic lines, operating in opposite directions.Certain failures associated with such lines can result in the formationof loops that are undetectable by the STP. For example, suppose twobridges, designated A and B, are connected by a single trunk link formedfrom two unidirectional transmission lines, and that the respective portat Bridge B is assigned the designated port role, while the peer port atBridge A is assigned the alternate port role. In this case, the port atBridge B is placed in the forwarding state and the port at bridge A isplaced in the discarding state. As long as the port at Bridge Acontinues to receive “superior” BPDU messages from Bridge B, it willremain in the blocking state. Suppose, however, that the trunk linkbecomes unidirectional. That is, bridge B continues to send BPDUmessages to Bridge A, but these BPDU messages are never received, andyet the trunk line is not considered to be “down”. Accordingly, the BPDUinformation stored for the port at Bridge A eventually ages out and theSTP running at Bridge A transitions the port to the forwarding state.Because Bridge B is unaware of the link failure, the port at Bridge Bremains in the forwarding state. With the ports at both Bridge A andBridge B in the forwarding state a loop is created. As described above,the creation of such a loop causes network messages to be replicated,wasting substantial network bandwidth and potentially causing a networkoutage.

A loop may also be created as a result of an error or failure in theoperation of the STP process at Bridge B, such as a software error.Specifically, control messages, like BPDU messages, are often processedby software elements executing at a microprocessor located on asupervisor module. In contrast, data messages are typically processed byone or more hardware elements disposed on a line card in order toimprove the bridge's performance. This may lead to a situation in whichthe control plane at the bridge, e.g., the execution of the STP processat the supervisor module, fails or becomes too busy to run the STP in atimely manner, while the hardware elements at the line cards continue toprocess and forward data messages. As a result of such a failure at thecontrol plane, Bridge B may stop sending BPDU messages sent from a givenport, even though it continues to forward data messages from this port.In response, the STP process running at Bridge A concludes that its portshould now be re-assigned the Designated Port Role and that it should betransitioned to the forwarding state. With the ports at both Bridge Aand Bridge B in the forwarding state, a loop is created.

In summary, unidirectional failures resulting in the formation of loopsmay occur as a result of malfunctioning or faulty network interfacecards (NICs) and/or transceivers. Similarly, a switch's microprocessormay become too busy with other tasks to send BPDU messages for arelatively long time, or a software crash may occur in the control planeresulting in the formation of a loop. In addition, if a link up/downdetection and/or autonegotiation protocol is disabled, e.g., by networkadministrator action, unidirectional failures may go undetected,resulting in loops. Accordingly, a need exists to assure the continuedand proper operation of intermediate network devices within a computernetwork.

SUMMARY OF THE INVENTION

Briefly, the present invention is directed to a system and method forassuring the proper operation of intermediate network devices, such asbridges, in computer networks. An intermediate network device operatingin accordance with the present invention preferably includes a pluralityof ports for receiving and forwarding network messages and a spanningtree protocol (STP) engine in communicating relationship with the ports.The STP engine includes a port transition state machine fortransitioning the ports among a plurality of STP states, such as adiscarding or blocking state, and a forwarding state. The STP enginealso includes a port role selection state machine for assigning STProles to the ports or for recognizing the association of roles to theports, including a Root Port Role, an Alternate Port Role, a DesignatedPort Role and a Backup Port Role. In accordance with the presentinvention, the STP engine further includes a bridge assurance (BA)sub-engine. The BA sub-engine determines whether neighboring bridges areoperating properly, and takes corrective action if an error condition isdetected.

First, the BA sub-engine preferably directs the STP engine to generateand send configuration bridge protocol data unit (BPDU) messages fromports assigned to the Root, Alternate and Backup roles. That is, the BAsub-engine directs the STP to periodically send BPDU messages from thebridge's Root and Alternate ports, in addition to the BPDU messages thatthe STP sends from the bridge's Designated ports. The BA sub-engine alsolooks for the receipt of BPDU messages on all bridge ports to which atleast one neighboring bridge is coupled. Accordingly, if BPDU messagesare never received on such a port, or they stop being received, the BAsub-engine detects an error condition, such as a uni-directional linkfailure. In one embodiment, the BA sub-engine will also prevent a portthat stops receiving BPDUs from being transitioned to a forwardingstate. Thus, by directing the STP engine to now send BPDU messages fromthe bridge's Root and Alternate ports as well as its Designated ports,the BA sub-engine is able to assure that its neighbor bridges areoperating properly.

In addition to directing the STP engine to send BPDU messages from Root,Alternate and Backup ports, the BA sub-engine also includes a pluralityof timers for each port, which are used in response to the detection ofcertain failures. More specifically, when a BPDU message is firstreceived on a port, the BA sub-engine starts a BA timer for that port.Each time another BPDU message is received on the port, the port's BAtimer is re-started. If the timer expires, indicating that the portnever received any BPDU messages or stopped receiving BPDU messages,then BA sub-engine directs the STP engine to transition the affectedport to the discarding state. In addition, if a Root or Alternate portreceives a BPDU carrying information that is inferior to the STPinformation stored by that port, a role restricted timer is started. Ifthe BPDU with inferior information was received on a Root port, then theBA sub-engine directs the STP engine to elect a new root port. The BAsub-engine also prevents a port whose role restricted timer is runningfrom being elected the Root port, and instead causes the port to end upas an Alternate port. The role restricted timer may be de-activated whenthe port becomes an Alternate port, or if the port stops receiving BPDUmessages with the inferior information.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention description below refers to the accompanying drawings, ofwhich:

FIG. 1 is a highly schematic illustration of a computer network;

FIGS. 2 and 3 are highly schematic, partial block diagrams of anintermediate network device in accordance with the present invention;and

FIG. 4 is a highly schematic illustration of a computer network.

DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT

FIG. 1 is a highly schematic illustration of a computer network 100 inaccordance with the present invention. Network 100 includes twointermediate network devices, such as bridges, 102 and 104. Each bridge102 and 104, moreover, has a plurality of ports 106 for interconnectingthe bridges to other network entities, such as end stations, bridges,hubs, routers, local area network (LAN) segments, etc. Bridges 102 and104 are interconnected by two segments 108 and 110, which may be LANs orother shared media. Each bridge preferably identifies its own ports,e.g., by port numbers such as zero (P0), one (P1), two (P2), etc. Thebridges 102 and 104 are thus able to associate specific ports with thatare reachable through those ports.

It should be understood that the network 100 of FIG. 1 is meant forillustrative purposes only, and that the present invention will operatewith other, possibly far more complex, network topologies.

As shown, network 100 includes redundant paths interconnecting switches102 and 104. The existence of redundant paths in a computer networktypically prevents portions of the network from becoming isolated shouldany constituent segment or intermediate device fail. Such redundancy,however, also results in the creation of loops, which, as describedabove, are highly undesirable in layer 2 (L2) networks.

Execution of a spanning tree protocol (STP) or algorithm prevents loopsby defining a loop-free network topology (i.e., an active topology).However, as set forth above, in some situations, conventional spanningtree protocols or algorithms may not detect the existence or formationof all loops. In addition, the conventional spanning tree protocols oralgorithms do not identify other errors or failures, such as failuresoccurring in the control plane of neighboring bridges. To assure thatthe bridges 102 and 104 of network 100 are operating properly, amongother reasons, bridges 102 and 104 preferably utilize a “bridgeassurance” mechanism in accordance with the present invention.

FIG. 2 is a partial block diagram of an intermediate network device inaccordance with the present invention, such as bridge 102. As mentionedabove, bridge 102 includes a plurality of ports 106 a-e each of which ispreferably identified by a number (e.g., P0-P4). Bridge 102 furtherincludes one or more frame transmission and reception objects,designated generally 204, that are associated with the ports 106 a-e,such that network messages, including data and control packets andframes, received at a given port, e.g., P3, may be captured, and framesto be transmitted by bridge 102 may be delivered to a given port, e.g.,P1.

Bridge 102 further includes at least one protocol entity 206 comprisinga plurality of components. In particular, the protocol entity 206includes at least one spanning tree protocol (STP) engine 208 and atleast one forwarding engine 210. The STP engine 208 preferably comprisesa plurality of subcomponents, including a port role selection statemachine 212, a port transition state machine 214, and a bridge protocoldata unit (BPDU) message generator 216. In accordance with the preferredembodiment, the STP engine 208 further includes a bridge assurancesub-engine 218. Except as described herein, the STP engine 208preferably operates substantially in compliance with a known spanningtree protocol or algorithm, such as the Rapid Spanning Tree Protocol(RSTP) defined in IEEE Std. 802.1D-2004 specification standard, or theMultiple Spanning Trees (MST) protocol defined in IEEE Std. 802.1Ssupplement to IEEE Std. 802.1Q, among others, both of which are herebyincorporated by reference in their entirety.

The bridge assurance sub-engine 218 preferably includes or otherwise hasaccess to several sub-components of its own. In particular, the bridgeassurance sub-engine 218 preferably has one or more BA timers, such asBA timers 217 a-c, and one or more role restricted timers, such a rolerestricted timers 219 a-c.

The STP engine 208 includes or is in communicating relationship with amemory 220, which may be a volatile or non-volatile random access memory(RAM) or some other memory structure or device. Memory 220 is preferablyorganized to include a plurality of records or cells (not shown) forstoring spanning tree related information or parameters, such as theswitch's numeric bridge identifier (ID), the assigned path cost for eachport 106 a-e, the current or “best” spanning tree information for eachport P0-P4, etc.

The forwarding engine 210 is in communicating relationship with theframe transmission and reception objects 204 and is coupled to at leastone filtering database 222 that stores address information correspondingto at least some of the entities of network 100 (FIG. 1). Specifically,filtering database 222 has a plurality of records (not shown) eachcontaining a plurality of cells, including a destination address cell, adestination port cell and a corresponding timer cell. Each record in thefiltering database 222 preferably corresponds to a particular networkentity.

The forwarding engine 210 is configured to switch or bridge networkmessages, such as data packets and/or frames, from a source port 106 toone or more destinations ports 106 depending on information contained inthe forwarding database 222 and also on the spanning tree port states ofthe respective ports 106 as managed by STP engine 208. The forwardingengine 210 is also in communicating relationship with the STP engine 208and relays STP-related messages, such as BPDU messages, received atports 106. In other embodiments, STP engine 208 may also be directlycoupled to the frame transmission and reception objects 204.

In the illustrated embodiment, bridge 102 includes transmitting andreceiving circuitry, including one or more line cards and/or networkinterface cards (NICs) establishing ports for the exchange of networkmessages, one or more supervisor cards having central processing units(CPUs) and/or microprocessors and associated memory devices forperforming computations and storing the results therefrom and one ormore bus structures. FIG. 3 is another highly schematic, partial blockdiagram of bridge 102 illustrating such components. As shown in FIG. 3,bridge 102 includes a plurality of line cards 302 and 304, and asupervisor card 306. Cards 302, 304 and 306 are in communicatingrelationship with each other through a communication bus 308. Each ofthe line cards 302 and 304 includes a microprocessor (μP) 310 and atleast one memory 312. The supervisor card 306 also includes a μP 314, aswell as both a non-volatile (N-V) memory 316 and a volatile memory 318,e.g., RAM.

Referring again to FIG. 2, it will be understood by those skilled in theart that STP engine 208 and forwarding engine 210 may each compriseregisters and combinational logic configured and arranged to producesequential logic circuits. In the illustrated embodiment, engines 208and 210 are preferably software modules or libraries stored at a memory,such as memory 312, and containing program instructions pertaining tothe methods described herein and executable by one or more processingelements, such as μP 314, of switch 102. Other computer readable mediamay also be used to store and execute these program instructions.Nonetheless, those skilled in the art will recognize that variouscombinations of software and hardware, including firmware, may beutilized to implement the present invention.

Suitable intermediate network device platforms for use with the presentinvention include, but are not limited to, the commercially availableCatalyst 4000 and 6000 series of switches from Cisco Systems, Inc. ofSan Jose, Calif.

Execution of the STP by bridges 102 and 104 of network 100 results inthe convergence to an active topology with one device, e.g., bridge 102,being elected the root, as indicated by the letter “R”. In this case,the ports of bridge 102 are assigned to the Designated Port Role, asindicated by the letter “D,” and are transitioned to the forwardingstate. At bridge 104, one port, e.g., the port coupled to segment 110 isassigned the Root Port Role, as indicated by the letter “R,” and istransitioned to the forwarding state, and the port coupled to segment108 is assigned to the Alternate Port Role, as indicated by the letter“A”, as it represents an alternate path to root 110. The port assignedto the Alternate Port Role is transitioned to the blocking or discardingstate. The terms blocking and discarding are used interchangeablyherein.

With the conventional operation of the STP, such as the RSTP or theMSTP, once ports are assigned to the Root and Alternate Port Roles, theSTP engine stops issuing BPDU messages from these ports. Here, incontrast, the bridge assurance sub-engine 218 of bridge 104 is speciallyconfigured to direct the STP engine 208 to continue to generate and sendBPDU messages from its Root Port and its Alternate Port. Preferably, thebridge assurance sub-engine 218 directs the STP engine 208 to utilizeits BPDU message generator 216 to generate and send BPDU messagesperiodically from ports assigned to both the Root Port Role and theAlternate Port Role. If bridge 104 had any ports assigned to the BackupPort Role, the bridge assurance sub-engine 218 may further direct theSTP engine 208 to send periodically BPDU message from these ports aswell. Thus, bridge assurance sub-engine 218 effectively directs STPengine 208 to send BPDU messages from the ports assigned to the Root,Alternate and Backup Roles

In the preferred embodiment, the BA sub-engine 218 directs the STPengine 208 to send BPUD messages periodically from its ports assigned tothe Root, Alternate and Backup roles irrespective of receiving any BPDUmessages on its root port. Specifically, BA sub-engine 218 may furtherinclude one or more hello timers, such as hello timer 224. Each time thehello timer 224 expires, the BA assurance sub-engine 218 directs the STPengine 208 to send BPDU messages from the ports assigned to the Root,Alternate and Backup Roles. The BA sub-engine 218 then re-starts thehello time 224. The STP engine 208 may also utilize the hello timer 224to trigger the issuance of BPDU messages from the bridge's Designatedport(s), if any.

The BPDU messages sent from the ports assigned to the Root, Alternateand Backup roles preferably carry the ID of the bridge that the issuingbridge considers to be the root of the computer network, e.g., thebridge with the lowest numeric ID, in the BPDU message's root ID field.The BPDU messages also include the root path cost as calculated for theport from which the BPDU message is being sent in the message's RootPath Cost field.

In addition to directing the STP engine 208 to send BPDU messages fromports assigned to the Root, Alternate and Backup roles, the bridgeassurance sub-engine 218 is further configured to look for BPDU messagesto be received on all ports that are coupled to a neighboring bridge,even parts that are assigned to the Designated Port Role. The bridgeassurance sub-engine 218 may determine that a given port is coupled to aneighboring bridge in several ways. For example, a network administratormay configure the bridge such that one or more ports are explicitlyconfigured as being coupled to a neighboring bridge. This may beaccomplished by entering one or more commands at a management consoleand/or by using the well-known Simple Network Management Protocol(SNMP). The bridge assurance sub-engine 218 may also determine that agiven port is coupled to a neighboring bridge as a result of receiving aBPDU message on the given port.

For each port that is coupled to a neighboring bridge, the bridgeassurance sub-engine 218 preferably assigns a corresponding BA timer tothat port. The bridge assurance sub-engine utilizes the assigned BAtimer to detect whether the flow of BPDU messages from its neighboringbridge is ever interrupted. The BA timer can also reveal the existenceof a neighboring bridge that has not sent any BPDU messages. Inaccordance with the preferred embodiment, the bridge assurancesub-engine 218 preferably first starts the assigned BA timer when therespective port is brought up, e.g., initialized, provided that the porthas been configured for bridge assurance operation. The bridge assurancesub-engine 218 then re-starts the BA timer when the first BPDU messageis received. Thereafter, each time another BPDU message is received onthe port, the bridge assurance sub-engine 218 again re-starts the BAtimer assigned to that port. With reference to FIG. 1. The bridgeassurance sub-engine 218 at bridge 102 establishes a first BA timer,e.g., timer 217 a, for its port coupled to segment 110, and a second BAtimer, e.g., timer 217 b, for its port coupled to segment 108. If a BAtimer ever expires, indicating either that (1) no BPDU message was everreceived on this port or (2) that the flow of BPDU messages has stopped,then the bridge assurance sub-engine 218 detects a failure condition.

It should be understood that the expiration of a BA timer may be causedby several circumstances. First, the link between the two bridges mayhave suffered a failure. For example, segment 110 may suffer from auni-directional failure condition such that it cannot transmit anymessage from bridge 104. In this case, bridge 104 may still be able toreceive messages from bridge 102 via segment 110, but bridge 102 can nolonger receive any messages from bridge 104 via segment 110. As aresult, bridge 102 a will stop receiving BPDU messages from bridge 104via segment 110, and the BA timer assigned to this port, e.g., timer 217a, will eventually time-out and expire. Another situation that mighttrigger the expiration of BA timer 217 a at bridge 102 is a controlplane failure at bridge 104. For example, the STP process running atbridge 104 may crash, causing bridge 104 to stop sending BPDU messagesfrom any of its ports.

In response to the expiration of a BA timer, the bridge assurancesub-engine 218 may take one or more actions. In the preferredembodiment, the bridge assurance sub-engine 218 responds by reportingthe error condition to the network administrator. In particular, thesub-engine 218 may direct the STP engine 208 or some other entity atbridge 102 to issue an error message to the management console or tosome other network management device. By virtue of such an errormessage, a network administrator may investigate and hence determine thetrue cause of the error condition.

Bridge assurance sub-engine 218 may also direct the port whose BA timerexpired to transition to a blocking or discarding state to prevent thepossible formation of a loop in the bridged network. More specially, asindicated above, the bridge assurance sub-engine 218 establishes a BAtimer for each port coupled to a neighboring bridge. Thus, the bridgeassurance sub-engine at bridge 104 establishes a BA timer for each ofits two ports. Suppose, the BA timer established for the port of bridge104 coupled to segment 108, which port is assigned to the Alternate PortRole and is thus blocked from sending or receiving data messages,expires. Suppose further that the BA timer expires because the STPprocess at bridge 102 crashes thereby stopping the flow of BPDU messagesfrom bridge 102 to bridge 104 via segment 108, even though the ports ofbridge 102 continue to send and receive data messages. The conventionalSTP would respond by transitioning the port at bridge 104 from theAlternate Port Role to the Designated Port Role, and the port would bemoved from the discarding state to the forwarding state. However,because bridge 102 continues to forward data messages, an undesirableloop would be formed between bridges 102 and 104.

In contrast, with the present invention, the bridge assurance sub-engine218, in response to detecting the expiration of the BA timer assigned tothe port, preferably blocks the STP engine 208 at bridge 104 fromassigning this port to the Designated Port Role. Instead, the bridgeassurance sub-engine 218 directs the STP engine 208 to keep this port inthe blocking or discarding state. In this way, the bridge assurancesub-engine 218 of the present invention prevents the formation of apermanent loop within the network.

The bridge assurance sub-engine also prevents the formation of permanentloops due to other circumstances that are not detected by theconventional STP. FIG. 4 is a highly schematic illustration of acomputer network 400. Network 400 has three bridges 402, 403, and 404.Each bridge, moreover, has a plurality of ports 406. All three bridges402-304 are interconnected by a shared segment 408. In addition, bridges403 and 404 are interconnected by a second shared segment 410, andbridges 402 and 403 are directly connected by link 411. Suppose, bridge402 is elected the root of the bridged network 400, as indicated by theletter “R.” Bridge 402 thus assigns its two ports 406 to the DesignatedPort Role, and transitions them to the forwarding state. Suppose furtherthat bridge 403 assigns its port coupled to segment 408 to the Root PortRole, and its other two ports to the Alternate Port Role. Suppose alsothat bridge 404 assigns its port coupled to segment 410 to the Root PortRole and its other port to the Alternate Port Role.

Now suppose that bridge 404 experiences a uni-directional link failureregarding its port coupled to segment 408. That is, bridge 404 cancontinue to send data and control messages onto segment 408, but cannotreceive any data or control messages from segment 408. Accordingly,bridge 404 will stop receiving periodic BPDU messages from bridge 402whose port is coupled to segment 408 and is assigned to the DesignatedPort Role. Bridge 404 will also stop receiving periodic BPDU messagesfrom bridge 403, even though its port is assigned to the Alternate PortRole, because the bridge assurance sub-engine 218 at bridge 403 sendsBPDU messages onto segment 408. Nonetheless, none of these BPDU messageswill be received by bridge 404. Accordingly, the spanning treeinformation stored by bridge 404 for its port coupled to segment 408will age out, and bridge 404 will be begin to issue BPDU messages thatcontain inferior STP information as compared to the STP informationcontained in BPDU messages from root bridge 402, which superiorinformation is also stored at bridge 403. Because bridge 404 cannotreceive the superior BPDU message from root bridge 402, it would,through conventional operation of the STP, re-assign its port coupled tosegment 408 from the Alternate Port Role to the Designated Port Role,and transition the port from the discarding state to the forwardingstate. Such a transition would result in the formation of a loop in thebridged network 400.

The bridge assurance sub-engine 218 at bridge 403, however, prevents theformation of this loop. In particular, when the bridge assurancesub-engine 218 at bridge 403 detects the receipt of an “inferior” BPDUmessages from bridge 404, it preferably assigns and starts a rolerestricted timer 219 for the port on which the “inferior” BPDU wasreceived. Furthermore, because this port now has a restricted role timerrunning, the bridge assurance sub-engine 218 of bridge 403 directs theSTP engine 208 to transition the port to the discarding state. Becausethis port was the root port for bridge 403, this forces bridge 403 toelect a new root port for itself. Furthermore, so long as the rolerestricted timer continues to run, the bridge assurance sub-engine 218prevents the STP engine from assigning this port to any spanning treerole in which the port would be forwarding. That is, the bridgeassurance sub-engine 218 prevents the port from becoming a Root Port. Inparticular, each time the STP engine 208 receives superior BPDUinformation from bridge 402 via segment 408, and seeks to assign itsport 406 coupled to segment 408 to the Root Port Role, the running ofthe role restricted timer causes the bridge assurance sub-engine 218 toblock such action. As a result, the port at bridge 403 coupled tosegment 408 ends up becoming an Alternate Port, and the port of bridge403 that is coupled to bridge 402 via link 411 ends up becoming thebridge's new root port.

The role restricted timer may be set to expire at the max age value. Inan alternative embodiment, it may also be disabled if bridge 403 beginsreceiving BPDU messages from bridge 404 that contain superiorinformation, thereby indicating that the uni-directional link failurehas been corrected.

The foregoing description has been directed to specific embodiments ofthis invention. It will be apparent, however, that other variations andmodifications may be made to the described embodiments, with theattainment of some or all of their advantages. For example, other STPcontrol messages, besides or in addition to the configuration bridgeprotocol data unit messages, may be issued by the STP engine. Therefore,it is an object of the appended claims to cover all such variations andmodifications as come within the true spirit and scope of the invention.

1. A method comprising: executing a spanning tree protocol (STP) at anintermediate network device to assign a first port of the intermediatenetwork device to a Root Port Role, a second port of the intermediatenetwork device to an Alternate Port Role, a third port of theintermediate network device to a Designated Port Role, and a fourth portof the intermediate network device to a Backup Port Role; periodicallysending at least one bridge protocol data unit (BPDU) message from thefirst port assigned Root Port Role, the second port assigned AlternatePort Role and the fourth port assigned Backup Port Role, irrespective ofreceipt of any BPDU messages at the intermediate network device fromneighboring intermediate network devices; detecting a failure to receivea BPDU message from a neighboring intermediate network device on thethird port assigned Designated Port Role within a threshold amount oftime; and in response to the failure to receive the BPDU message fromthe neighboring intermediate network device, taking one or more actions.2. The method of claim 1, further comprising: operating a hello timerhaving a threshold, wherein the periodically sending sends the at leastone BPDU from the first port assigned Root Port Role, the second portassigned Alternate Port Role and the fourth port assigned Backup PortRole each time the hello timer reaches the threshold.
 3. The method ofclaim 1, wherein the detecting further comprises: starting a timerassociated with the third port assigned Designated Port Role;re-starting the timer each time a BPDU message is received on the thirdport assigned Designated Port Role; and detecting the failure to receivethe BPDU message when the timer reaches the threshold.
 4. The method ofclaim 1, further comprising: determining that the third port assignedDesignated Port Role is coupled to the neighboring intermediate networkdevice based on explicit configuration of the third port by a networkadministrator.
 5. The method of claim 1, further comprising: determiningthat the third port assigned Designated Port Role is coupled to theneighboring intermediate network device based on receipt of one or moreBPDU messages on the third port.
 6. The method of claim 1, furthercomprising: detecting a further failure to receive a BPDU message from aneighboring intermediate network device on the first port assigned RootPort Role, the second port assigned Alternate Port Role or the fourthport assigned Backup Port Role; and in response to the further failure,taking one or more further actions.
 7. The method of claim 1, furthercomprising periodically sending at least one BPDU message from the thirdport assigned Designated Port Role.
 8. The method of claim 1, whereinthe one or more actions include blocking the third port.
 9. The methodof claim 1, wherein the one or more actions include issuing an errormessage to a network management device.
 10. An apparatus comprising: aplurality of ports; a memory configured to store indications of assignedport roles for the plurality of ports; a spanning tree protocol (STP)engine configured to assign a first port of the plurality of ports to aRoot Port Role and a second port of the plurality of ports to anAlternate Port Role; a memory configured to store indications ofassigned port roles; a bridge assurance sub-engine cooperating with theSTP engine, the bridge assurance sub-engine configured to direct the STPengine to periodically send at least one bridge protocol data unit(BPDU) message from the first port assigned Root Port Role and thesecond port assigned Alternate Port Role, irrespective of receipt of anyBPDU messages at the apparatus from neighboring intermediate networkdevices on the first port assigned Root Port Role or the second portassigned Alternate Port Role, detect a failure to receive a BPDU messagewithin a threshold amount of time on a particular port of the pluralityof ports that is coupled to a neighboring intermediate network device,and in response to the failure to receive the BPDU message on theparticular port, block the particular port.
 11. The apparatus of claim10, further comprising: a hello timer having a threshold, wherein thebridge assurance sub-engine is further configured to direct the STPengine to periodically send the at least one BPDU message from the firstport assigned Root Port Role and the second port assigned Alternate PortRole each time the hello timer reaches the threshold.
 12. The apparatusof claim 10, further comprising: a bridge assurance (BA) timerconfigured to re-start each time a BPDU message is received on theparticular port and to expire if not re-started, wherein the bridgeassurance sub-engine is further configured to detect the failure toreceive the BPDU message by expiration of the BA timer.
 13. Theapparatus of claim 10, wherein the bridge assurance sub-engine isfurther configured to determine that the particular port is coupled tothe neighboring intermediate network device based on explicitconfiguration by a network administrator.
 14. The apparatus of claim 10,wherein the bridge assurance sub-engine is configured to determine thatthe particular port is coupled to the neighboring intermediate networkdevice based on receipt of one or more BPDU messages on the particularport.
 15. The apparatus of claim 10, wherein the bridge assurancesub-engine is further configured to direct the STP engine toperiodically send at least one BPDU message from a third port assignedDesignated Port Role.
 16. The apparatus of claim 10, wherein the bridgeassurance sub-engine is further configured to direct the STP engine toperiodically send at least one BPDU message from a fourth port assignedBackup Port Role, irrespective of receipt of any BPDU messages at theapparatus from neighboring intermediate network devices on the fourthport assigned Backup Port Role.
 17. The apparatus of claim 10, whereinthe bridge assurance sub-engine is further configured to, in response tothe failure to receive the BPDU message on the particular port that iscoupled to the neighboring intermediate network device, issue an errormessage to a network management device.
 18. A non-transitorycomputer-readable medium having software encoded thereon, the softwarewhen executed operable to: execute a spanning tree protocol (STP) toassign a first port of an intermediate network device to a Root PortRole, a second port of the intermediate network device to an AlternatePort Role, a third port of the intermediate network device to aDesignated Port Role, and a fourth port of the intermediate networkdevice to a Backup Port Role; periodically send at least one bridgeprotocol data unit (BPDU) message from the first port assigned Root PortRole, the second port assigned Alternate Port Role and the fourth portassigned Backup Port Role, irrespective of receipt of any BPDU messagesat the intermediate network device from neighboring intermediate networkdevices; detect a failure to receive a BPDU message within a thresholdamount of time on a particular port that is coupled to a neighboringintermediate network device; and in response to the failure to receivethe BPDU message, block the particular port.
 19. The non-transitorycomputer-readable medium of claim 18, wherein the software when executedis further operable to: operate a hello timer having a threshold; andsend the at least one BPDU from the first port assigned Root Port Role,the second port assigned Alternate Port Role and the fourth portassigned Backup Port Role each time the hello timer reaches thethreshold.
 20. The non-transitory computer-readable medium of claim 18,wherein the software when executed is further operable to: start a timerassociated with the particular port re-start the timer each time a BPDUmessage is received on the particular port; and detect the failure toreceive a BPDU message when the timer reaches the threshold.